A number of industries are exploring the possible advantages of incorporating blockchain as a highly secure form of transmitting data. However, until recently, there has been little guidance on how the pharma industry might adopt blockchain technology without fear of putting patient safety, product quality, and data integrity at risk.
This has changed with the recently released second edition of ISPE’s GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized systems. ISPE GAMP 5 guidelines have been updated to include a new appendix that provides organizations with points to consider in making the shift to blockchain to support GxP processes. Below, we explain a few key points covered in the recently released guideline that pharma companies should consider before adopting blockchain technology.
What is blockchain?
Blockchain is a real-time technology that supports secure, transparent transactions through the use of immutable, decentralized digital records. The technology earns its name from its structure, which features blocks of individual records mathematically connected forming a chain.
Blockchain promises companies a high level of security, transparency, traceability, and cost reductions around the management of data, among other benefits that may vary based on the intended use of the technology.
In the life sciences industry, smart contracts are one of several potential applications of blockchain. They provide new levels of trusted transparency into pharma supply chains. Because blockchain data cannot be altered or deleted, smart contracts can be used to track pharmaceutical product components throughout the entire supply chain.
Now, ISPE GAMP 5, within its computer system validation framework, provides insight into how companies can adopt blockchain, using a risk-based approach and validation strategies.
Understanding blockchain components will reduce the risk
The first step to adopting blockchain technology is to understand how you intend to use blockchain, then, you need to understand its components. It is also essential to have a thorough understanding of all the technology interactions occurring in a blockchain, including APIs, smart contracts, and other technologies. These are all crucial elements of a risk-based approach.
Verification is required around the following topics:
- The intended use of the blockchain solution.
- The ancillary systems with which the blockchain will pull and push data.
- The high-level risks are associated with patient safety, product quality, and data integrity.
- The business logic is managed within smart contracts, if applicable.
- The role blockchain plays in the overarching system.
- The data is managed across the network, including on-chain, off-chain, and metadata.
- The type of blockchain protocol and any special considerations needed for this.
As soon as high-level risks and business-process steps have been identified, it is possible to construct a data flow chart to display inputs, outputs, and how data courses through the system. This system landscape provides a useful overview of interactions within the system.
Figure 1- Example of Data Flow for a Blockchain-Integrated SolutionSource: ISPE GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition
Strategies to reduce risk with a blockchain solution
Before implementing a blockchain project, it is critical to clearly define desired goals and a process for ensuring successful outcomes. Any such plan should address the following areas:
- Definition of Project Scope: This ensures that project work is structured and subdivided into manageable segments. Roles and responsibilities should be assigned with metrics to ensure accomplishment. Each activity must be adequately defined to facilitate communication and the performance of work.
- System landscape: Every component of the system must be identified, facilitating the evaluation of risks and providing a complete overview of the environment.
- Stakeholders and service providers: A governance structure should be set up early in the project phase since there are likely to be many stakeholders, both internal and external, on the blockchain network.
- Data- and process-driven approach: As part of a GxP environment, it would be appropriate to use a data- and process-driven approach to rely on a blockchain network.
- Understanding data: Data mapping should be performed to align data—including the source of origin, source of truth, and ownership standpoint—to ensure a seamless transition to blockchain in compliance with ALCOA + requirements.
- Controls: Establish the set of controls that will help to ensure the system is operating as intended. This may include but is not limited to, input controls, output controls, processing controls, and access controls.
- Change management: The change management of the blockchain solution should be looked at for the entirety of the GxP use case. Any systems that will interact with the network can be managed using Agile change management approaches. For public chains, it is important to keep in mind that the core protocol will likely be open-sourced and managed by a community.
- Blockchain governance: Organizations must keep abreast of updates and changes in the chain and determine the GxP impact of updating, or choosing not to update, their applications. This may include the potential to “fork” the chain, or create two diverging paths.
- Smart contracts: Core or custom-developed smart contracts execute specific “tasks” automatically in the chain. Because these tasks can be upgraded over time, they must also be included within the scope of the change management process.
Once these items have been addressed, you can launch your blockchain project.
Blockchain and GxP-regulated environments
The use of blockchain networks brings additional considerations that fall beyond the direct software development cycle.
To demonstrate that blockchain can be applied in a GxP-regulated environment, it’s essential to verify certain aspects that fall outside the quality management system (QMS). This is essential for evaluating and demonstrating the suitability of the system within the GxP-regulated environment.
These areas may include:
- Maturity of the blockchain: An emerging technology requires rigorous evaluation before adoption. The adopter needs to ensure that a thorough evaluation is performed.
- Vendor support: As with a typical vendor qualification, the adopter must verify that the blockchain vendor is trustworthy. Does the vendor operate a QMS? Do they have software development and process management controls in place?
- The pace of change: Is the blockchain’s change governance process mature? Are architectural changes well communicated and documented?
- Cryptography and proofs in place: Verify the hashing and asymmetric encryption, and determine the level of security based on the linking of blocks by hash functions (information stored in the blocks that only authorized recipients can decode), signatures generated, and public and private keys.
How to ensure data integrity
Data on blockchain will be connected from multiple sources, and will, in many cases, represent the current state of the system. In such a scenario, it is important to establish data quality controls to ensure the data recorded in the blockchain remains in sync with the data generated at the source of origin.
It’s also essential to ensure the privacy and confidentiality of sensitive data and transactions are maintained within this decentralized and distributed network.
Data mapping and application of the ALCOA+ framework can help to identify potential deficiencies in either of these areas. In general, best practices will include:
- Avoiding the storage of sensitive data on-chain.
- Encryption and obfuscation controls for on-chain data.
- Using mature cryptographic procedures.
- Establishing processes for cryptographic key management.
- Using mechanisms to anonymize transactions or shield the logic in smart contracts.
Understand your risks
Blockchain is no longer an unknown technology related to the crypto world. As more companies realize the wide range of benefits it can provide, it will certainly see more widespread use.
However, companies in a regulated GxP environment must remain cognizant of the fact that the use of an emerging technology carries certain risks.
For the successful and secure adoption of blockchain, pharma companies must put a risk-based approach to implementation in place. With an eye to ALCOA+ requirements, ISPE GAMP 5 guidance, and a robust QMS in place, pharma companies can begin to realize these advantages.
Any concerns? Reach out to us! If you need any support in dealing with the topics mentioned in this article, please contact GxP-CC today for a conversation.